Archive for the 'Family' Category

Apr 17 2011

Cloud experiment: Minecraft

Published by under Cloud,Family,Linux

I have two young boys who are addicted to Minecraft.  They wake up in the morning, log onto a Minecraft server, play as long as we’ll let them and then get back onto the servers as soon as we’ll let them.  I was a little concerned at first because I really didn’t know much about the game, but I discovered I had several adult friends in the security community who were also playing the game, so I was willing to let the boys play on a system a friend runs.  I don’t know about you, but it makes me feel a lot better about letting my kids play online when I know I can contact the administrator with a quick phone call or email.

Playing on someone else’s server is fun for the boys, but since Minecraft is a game of mining resources and constructing almost anything you can imagine, an eventual request came to build the boys their own server.  Minecraft isn’t very resource intensive, it’s a Java based program that runs pretty decently on a low end server, at least if you only have two or three people using the server at a time.  Since, like most geeks, I have several computers that are running 24/7 and have some spare memory, I was able to throw up our own home Minecraft server without too many problems.  And as Minecraft has matured and added plugins, I could give the boys additional capabilities and superuser access so they can give themselves whatever resources they want to build anything they want.  This kept them happy for a little while and gave me something to hold over their heads to get their homework done.  It’s a lot easier to deny them access to the server when you can shut it down in a couple of seconds.

The next step came when the boys told their cousin about Minecraft and he started playing as well. It’s a community game and they often play together on public servers, but the lure of having superuser accounts and just having control of their environment with their cousin was strong.  So the continuing plea of ‘Dad, can we make our Minecraft server public?” started.  With the continued reply of “No.” to go with it.  They tried several tactics, such as explaining the white and black listing capabilities of Minecraft, offering their cousin’s server instead if I’d tell them how to make it public, as well as several other plans that only a pre-teen could come up with.  All of which were still denied.

It’s not that I don’t want my sons to have their own Minecraft server, it’s just that the security of my home network is more important to me than them playing a game that necessitates poking a hole in my network to the outside world.  I’m a security professional and I know that despite that, I don’t know enough to lock down any program with 100% certainty once I’ve opened it up to the Internet.  I do not currently allow any services to be served to the Internet from my home network and I have no intentions of changing that in the near future.  I’ve also had several discussions that lead me to believe that while Minecraft doesn’t have any currently know publicly exploitable vulnerabilities, security is not a major concern of the developers and it’s only a matter of time before someone turns their full attention to rectifying the lack of exploits.  Especially considering how popular Minecraft has become.

I’m the kind of father who wants to give their kids as many geek toys as he can, first to test my own abilities and second to give them something to stretch their own capabilities.  Or perhaps it’s the other way around.  In either case, I wanted to give my kids what they wanted, a publicly accessible Minecraft server that was not part of my home network and did not put any of my resources at risk, however minor.  Which is when I realized I had a technology I’ve been meaning to learn more about and was just looking for an excuse to play with:  the Cloud!  I’ve been remiss in my duties as a geek and security professional in that I’d been reading about Cloud technologies, I’ve been listening to what others have to say and I’ve even given a talk about PCI in the Cloud, but I’d never actually signed up for a cloud service and created my own server because I didn’t have a real use for one.  Setting up a Minecraft server on Amazon’s EC2 this weekend became the perfect solution to both issues, giving the boys a Minecraft server that I didn’t care who connected to and giving me a chance to stretch a little and learn more about the technology that is on everyone’s lips this year (and probably the next several)

I’ll be honest, one of the things that made this easy is that I found a step by step guide to creating a Minecraft server on the Minecraft forums.  I’m including a copy of the guide in the extended post because I don’t want to take the chance of losing the information if something happens on the forums, an old habit of mine.  I’ll add a few of my own notes to it as well.  This was a huge help and probably cut my installation time by 3/4.

Signing up for all the Amazon Web Services was easy and only took about 30 minutes.  I needed to sign up for these in any case for another project, but that’s someone else’s tale to tell when he’s ready.  From that point on, the guide was spot on.  I don’t think it was more than 30 minutes later that I had the boys personal Minecraft server up and running.  As suggested, I chose a small, spot request instance of the default Linux installation, reserved an Elastic IP address, associated it and the server was up and running.  I performed a few additional steps, like installing Bukkit and half a dozen plugins that the boys requested.  Most of it was as easy as using wget to pull first bukkit and then the plugins and restarting server.  I did have one minor problem in that one of the plugins was being hosted on a server using HTTPS and I had to modify the wget parameters, but that’s relatively minor to overcome.

I’ve been running our Minecraft server on Amazon’s EC2 for about 24 hours now.  I made it clear to the boys that this server is only going to be up when evenings and weekends, which turns out to be a good thing.  It’s not a huge cost, but in the past day this installation of Minecraft has cost me approximately $1.50 to run at a fairly low load, which could quickly add up to $40-50 or more per month.  If there were more people using it, if their cousin actually had a full Minecraft account and could play with them, and if I didn’t already have a Minecraft server running on the home network, I might be willing to pay that, but for the most part they’re going to have to live with the server only being available when I say it is.  I’m not an authoritarian … wait, no scratch that.  When it comes to my kids, yes, I am the authorities and my wife lets me say so.

All in all, this was a worthwhile project; it gave me some experience with the Cloud and specifically AWS.  I walked the kids through some sections of the installation, which taught us all a few lessons.  They get a Minecraft server they can share with their cousin and friends, without my having to open my network or pay an arm and a leg.  But I am realizing that it’s important to watch your Cloud instances or you’re going to end up paying a lot more than you thought very quickly.

Continue Reading »

25 responses so far

Sep 13 2010

What skills should a geek kid learn?

Published by under Family,Hacking,Social Networking

In a few weeks HacKid will be coming up in Boston at the Microsoft NERD Center.  Flying cross-country to attend with my family didn’t quite work out, but it did get me thinking some about the skills I’d like my two boys to master before they’re too old to learn to learn anything from their father or any adult, which I figure is about 15.  I don’t mean the stuff they learn in school, which while valuable are not necessarily the skills they’re going to need to survive on a daily basis.  I was wondering about the geek skills, both technical and non-technical.  Since I’ve recently started playing with lock picks, I decided that would be one of the first of these skills, but I turned to the wisdom of Twitter to add to the list.  Below is a compilation of the list I started and some of the suggestions I got from Twitter.

Here you go:

  • Lock picking (physical security being taught at HacKid)
  • How to social engineer a password from someone
  • Fix a printer (or at least replace the paper/cartridge and pull out jammed paper)
  • Martial arts/Self-defense (also being taught at HacKid)
  • Electronics/soldering/circuit boards (I’d have to learn more about this one myself)
  • Amateur (Ham) radio
  • Fast reading/Critical thinking (they’ve got the first handled, I can barely keep these kids in books)
  • Conflict management
  • How to build a tree fort
  • How to build a home network
  • How to build a computer
  • How to change a tire (This one will wait until they’re a little older)
  • How to repair a consumer device, how to fix a motor
  • How to improvise to build what they need (aka Duct tape foo)
  • Role playing games (so this one will do more harm than good, it’s still fun)
  • Basic self-reliance (which our society seems to want to train out of us) [ireadit]
  • Basic carpentry and plumbing skills [ireadit]
  • Debate skills [Matt Summers]
  • Rope skills: how to make, how to coil without kinks, how to tie knots [Chris J]
  • Bike maintenance [Robin]
  • Basic navigation, both with and without a compass (my kids have been orienteering since they were in diapers) [Robin]
  • Juggling (fun, but essential?) [Robin]
  • Coin/close up magic, handy for social engineering [Robin]
  • How to swim [Norbert]
  • Learn to play an instrument [Robb]
  • How to play all major sports [Robb]
  • Basic cooking skills [Peter]
  • Basic first aid (Like ‘Call 911!’?) [Peter]
  • Linux & Windows command-line fu, a programing language (Does Scratch count?) [Chris]
  • And?

Leave comments and I’ll add to the list

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

16 responses so far

Aug 25 2010

May see you at HacKid

Published by under Family,Hacking

Zach Lanier brought up HacKid (pronounced ‘hacked’ I’m told) on the podcast last night and I just realized I haven’t even written a single post on the subject.  My friend Chris Hoff, aka @beaker, is one of the key organizers and Zach is on the committee as well, and this looks like it’s going to be the start of something that’s every bet as fresh and original as BSides, except this time it will be kids who are learning, rather than a bunch of angsty security professionals who felt they weren’t being properly represented at Black Hat (I’m teasing, if that isn’t immediately obvious)

My kids are little geeks, similar to many of your kids in all likelihood.  They wake up in the morning and hop online or start playing on the DSi, or just pick up a book and read.  Their favorite magazines are Make and Science Illustrated.  And some fool introduced them to Japanese (is there any other type?) anime a couple of years ago.  So a convention aimed at teaching them how the Internet works, how to stay safe online and building robots really appeals to them.  Add to it that the convention is happening at the Microsoft NERD center and MIT is just down the street and you’ve got something that budding geeks will find unresistable.

If you’re on the East Coast anywhere near Boston, have kids between the ages of 5 and 17, think about taking them to HacKid in October.  Do keep in mind that every young person must be accompanied by an old person (read: adult guardian), but that each of the classes will likely have almost as much to teach the adult as they do the kids.  Everything is being done on a volunteer basis and the event is organized as a non-profit, so the money is all going to a good cause.  But hurry if you’re going to sign up, the cost goes up from $50 each to $75 next week. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Aug 08 2010

Would you let your wife track your movement? I will

Published by under Apple/Mac,Family,Privacy

I make no secret of how much I value privacy.  Which is weird coming from someone like myself who spends so much time on social networking, blogging and generally shouting my activities to the world.  But I control most of that information, which is what privacy is all about in the digital age.  So why am I talking about letting my wife track my every move?  Because I received a press release about the Family Tracker application for the iPhone and iPad, and rather than just go on a diatribe about how such a system could be misused, I have decided that for the next few weeks I will voluntarily give my wife the ability to track the location of my iPhone anywhere it goes.  And since I’m almost never without my iPhone, it means she’ll be able to track my movement at all times.  Besides, she just gave me “the Look” when I asked if it was okay for me to track her movements; allowing her to track me was obviously a healthier choice.

I don’t like the idea of tracking of people, especially if they don’t know about it.  The potential for abuse far outweighs the benefits in most cases.  Whether it’s a spouse or parent abusing the tracking, someone abusing access to the vendor or law enforcement legally tracking someone, I get very nervous about what CAN happen.  So when I got the press release for Family Tracker and an offer for promotional codes, I decided it was time to bite the bullet that is my paranoia and see how a tracking program like this is used in real life. 

I travel.  A lot.  In the next few weeks I’ll be crossing the country several times and I’ll be gone from home more than I’ll be there.  I post my travel schedule on several calendars around my office, so which city I’m in is rarely a question and I use FourSquare enough that my location has never really been a mystery anyway.  But I’ve always been in control of both of these methods of tracking and giving my family a tool to tell where I am almost every moment of the day is new and interesting experience for me.  I suspect that my wife will look me up once or twice and then ignore the application 99% of the time.  But she has surprised me before.

I’ve set it up so I can track myself and my iPhone from my iPad, so even if my wife doesn’t want to track me, I can still find out more about what the program is capable off.  And unless I do something stupid that involves the police, I doubt anyone else will want to track me.  If anyone really wants to know my whereabouts, there’s more than enough information already on the Internet to find me if someone takes the time.  This will just make it a little easier.

So through the end of the month my little social experiment will be running. After that, we’ll see.  It may be that my wife likes being able to track me.  Or she may just say, “Meh.  If I want to know where you are, I’ll just call.”  I’m almost as interested in seeing how she uses Family Tracker as I am in seeing if she thinks being able to track me is worthwhile.  I honestly don’t know which way she’ll decide.

After the break is the information the folks at LogSat sent me when I expressed interest in their product, which covers several important questions about how Family Tracker works.
Continue Reading »

2 responses so far

May 21 2010

Rich will be on Science Friday today!

Published by under Family,Privacy

It’s only a couple of hours away, but Rich Mogull will be on Science Friday today talking about online privacy and Facebook.  I don’t know how much time he’ll have on the air, but he’s living a geek’s wet dream by getting on NPR and being asked about privacy.  I’m sure the show will be available as a podcast and online later, but I’ll be sure to listen in live.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Feb 24 2010

LMSD should have used due process

I make no secret about being a privacy advocate, however many people misunderstand what I’m against when I talk about our government spying on us.  I firmly believe that having the ability to monitor communications, search people’s houses and generally stick their noses in anywhere are all abilities that local and federal law enforcement agencies need to have.  But there’s one caveat I believe must be in place: for any sort of monitoring and spying there has to be oversight by a third party and a way to redress problems when someone abuses this power.  This oversight is one of the primary reasons cops have to go to judges to get a search warrant and we have many of the freedoms we do in the US.  Without oversight, we’d descend into a police state that matches the worst of our criticisms against countries such as China and Iran.  This is a lesson the administrators at the the Lower Merion School District forgot in their rush to use camera’s on student laptops to spy on the kids and prove wrong-doing that may or may not have been there.

Unless you’ve been hiding under a rock for the last week, you know about this case; quick recap is that a Vice Principal used a picture captured using LANRev on school provided laptops to accuse a student of taking drugs.  This prompted a class action suit and a potential criminal investigation into the district’s use of LANRev to illegally spy on students.  There’s a lot of damning evidence available on the Internet and it’s looking likely that a number of people will be facing criminal charges.  And it’s all because these people believed they were doing the right thing in tracking their laptops and their students without some form of oversight to tell them they were being complete and utter idiots.

Absolute Software, the makers of LANRev, understand that giving customers unrestricted access to spy using their computers is a major problem; they require that a police report be filed prior to the spying capabilities of their other, similar products such as LoJack are activated.  First of all, this creates the oversight advocates such as I crave.  Not too many people are going to report a laptop stolen so they can spy on their significant other.  Secondly it creates a paper trail that lays out when and why the spying capabilities were activated.  Even after these capabilities are up and running, it’s under the control of Absolute, not the end user.  In their own words this prevents “potential vigilantism” and other abuses of power. 

If what the families in the Lower Merion School District are claiming is true, and it appears more and more likely it is, then folks like the Vice Principal at Harrington High are definitely vigilantes, someone who illegally tries to mete out punishment to a criminal.  There’s a reason we have due process and the administrators of LMSD forgot all of them in their fervor to catch students doing things they shouldn’t at home.  They also forgot that the responsibility of schools and teachers is to teach, not law enforcement.  If they truly believed there was wrong doing going on, the police should have been called in and proper procedures should have been followed.  There’s still a good probability that using LANRev without a search warrant would have been considered an invasion of privacy, but if it was done with police involvement, there’s a lot lower chance they’d be in the hot water they’re in now.  And maybe someone with a little knowledge of the law would have said, “Hey, that’s one monumentally stupid idea you’ve got there.”

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Feb 23 2010

Hole in the system

Published by under Family,PCI,Simple Security

This one hit’s close to home quite literally; Andrew Storms had some major issues this weekend with how a pizza place close to his house handled his credit card information.  Andrew only lives a city or so away from me and the pizzeria is one that I might visit for lunch or dinner given the chance.  Or rather, I might have before I read his story.  Now I’ll probably avoid it, going some place where I have a little more hope they’ll treat my credit card and other personal information with a little more caution.

The short version of Andrew’s story is that he ordered a pizza online and when the owner/delivery guy showed up, he told Andrew he’d received the credit card number via email from the central corporate website in an email.  There are so many forms of wrong here that it’s hard to know where to start.  This is a violation of PCI, there’s a chance it’s a violation of several state and federal laws (depending on how card data is handled from this point on) and it is simply bad practice in general.  But the real problem came when Andrew tried to figure out how to report this and get the merchant to change how he’s doing business.  As best as we can figure out, there is no way for a consumer to report a merchant to the credit card companies or his acquiring bank. 

It’s a huge hole in the system.  The pizzeria is a very small chain, there’s a corporate web site that’s probably run by a third party and it’s mailing credit card numbers, along with other important PII like name and address.  Unless the owner is using a shredder, which I doubt, all it would take is one episode of dumpster diving for a local data breach to happen.  While the pizzeria probably doesn’t get more than a couple dozen online orders a week, even one breach is too many if it’s your credit card.

Consumers don’t have much power in the credit card system, but this is an egregious issue that should have some sort of reporting mechanism.  Andrew canceled his card and tried to report the merchant, but there’s literally no way I or anyone I know can think of to report the merchant and force some sort of change to their system.  Quite frankly they’re a Level 4 merchant who might have heard of PCI but has no idea it actually applies to them.  It’s not a problem of the merchant being malicious, it’s a problem of the merchant simply being ignorant of the problem and having bigger issues to worry about, such as trying to get a new business off the ground.  I don’t blame him, but I do want some form of reporting for situations like this so that consumers can be protected and merchants can be warned to stop practices that are dangerous to their customers.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Feb 20 2010

Interview in the LMSD case

Here’s an interview with the family of the student who is at the center of the Lower Meridion School District.  I’m glad I didn’t see the interview before I’d written my previous post on the situation.  If what the family says is true, almost every statement that the school has made so far is false, from claiming that the spyware was only used 42 times to the statement that it was only activated when a laptop was reported stolen.  The Vice Principal accused Blake Robbins of trying to sell drugs online with proof of a picture taken from the laptop.  What Blake says he was really holding up weren’t drugs but candy.  And the Father hits the nail on the head in saying that his biggest concern is his 18 year old daughter who also has a school provided laptop with the same software installed.

I’m not exaggerating when I say I believe that the majority of the administration at the Lower Merion School District needs to be at least suspended pending investigation if not summarily fired!  The utter lack of moral and ethical compass that was required for this situation to come about is staggering.  I can understand wanting to protect an investment, but the slide from that to spying on school children should be obvious to anyone with a shred of common sense.  Lacking that much common sense tells me these people are unworthy of being in the school system and of teaching our children basic knowledge.  The LMSD is going to have to do serious damage control and their first step has to be keeping the people involved in this mess away from children.

This situation is going to have far ranging consequences and will hopefully change the way school administrators feel about monitoring students.  If you’re school district provides computers for your children, you need to make them aware of this situation and ask them if they’re doing anything similar.  If they answer yes, demand a full audit of the system and who accessed it immediately!  Don’t take ‘no’ for an answer; get a lawyer involved if you have to.  If you’re a teacher or an administrator who has similar software installed on laptops you’ve provided to your students, disable the program immediately and begin an audit of your systems and who accessed it.  It’s better to be proactive and discover that your system was abused than find out because you’re being hit with a lawsuit.

I’m putting down the keyboard now because I can barely express the outrage I feel at this situation. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Feb 20 2010

Don’t spy on my children!

I am amazed that the administration at Lower Merion School District (LMSD) couldn’t figure out something my eight year old son realized in just a few minutes, “Spying on people in their own home is wrong.  And really creepy.”  But they obviously couldn’t, so when they supplied 18oo students with Apple laptops 18 months ago, they included software with the laptops that would allow them to track stolen laptops and remotely turn on the iSight cameras on the Macs and take pictures of the thief.  Or pictures of a student doing something unnamed and naughty in his own home.  And then use that picture as evidence to prove that a student was doing something inappropriate in his own home.  After all, who’d ever think a teenager with a laptop would do something inappropriate when home, alone, with access to the Internet and all the sites that are normally forbidden to him?

When LMSD purchase 1800 Mac laptops for their student body, they made what was obviously a legitimate decision in their eyes: place software on the laptops that would allow the district to track their investment if it was lost or stolen.  These are laptops we’re talking about, they’re highly mobile and cost approximately $2000 each, so it’s understandable that the district might want to protect their investment.  But they never told the students or their parents that the software came as part of accepting the laptops.  As far as I can tell, the software installed was most likely one of the following:  LoJack, Undercover, MacTrak, BigFix or Hidden.  All of these systems are meant to be used to track stolen laptops, have the ability to turn on the camera remotely and can take screen captures and pictures through the Mac’s iSight camera.  There maybe several other solutions, and with the exception of BigFix, these are all consumer level products that are meant for one user to track one laptop and aren’t really meant for tracking a large number of users.  This is important because an enterprise version of this spyware is going to have significant logging capabilities, where as a consumer version might be utterly lacking in logging.  Allegedly, only two administrators had access to the systems for turning on the tracking and camera capabilities of the software.  What we’ll have to see now is what sort of logging the use of the software generated.  If it’s a consumer level product, I don’t have much hope for an accurate count, unless the tracking service itself keeps a log of how often the tracking of each laptop is turned on.  LMSD maintains that they “only” used the software 42 times or less than 50, their stories are conflicting.

I’ve been working in IT for a long time and a lot of my friends and acquaintances are people who would loosely be called ‘hackers’ by the public.  I don’t mean the people who are trying to break into your computer, I mean the people who test the limits of any system they come in contact with, just to see what it can do.  Most of the people I know who are good at their IT and computer security jobs are like this; they want to push the envelope so that they know what their systems can and cannot do.  Which is why having tracking and spying software on student laptops scares the snot out of me!  I know from personal experience that one of the first things the administrators of this system probably did was test it to see what they could and could not see from using the spying software, see if they’d be detected when it was turned on and see how they’d be tracked when they did turn on the spy software.  In and of itself, this attitude isn’t a bad thing, it’s part of the nature of the business we work in and the people it attracts.  But given the sensitive nature of who and where these laptops were going to be, unless there’s a complete, unmodifiable log of everything that was done using the spyware, I’m all but certain it was abused at least once during the time it was enabled on student laptops.

Another potential for abuse is exactly what happened to crack this whole issue wide open; a well meaning, if ignorant, Vice Principal used the capability of the spyware to take a picture of a student doing something he wasn’t supposed to.  It’s not clear yet exactly what the nature of the student’s abuse was, if his laptop had been reported stolen, if the software was activated for some other reason or if this was part of a systematic spying on the students.  What is known is that the Vice Principal used pictures taken from the iSight camera with the spying software to confront a student and his family with evidence of wrongdoing in a misguided attempt by the Vice Principal to do what she considered to be the right thing.  Unluckily for her, when it comes to spying on students at home, it’s much less of a slippery slope and more of a sudden drop off into the abyss of ‘1984‘.  I guess the whole school district skipped the ethics class when they were earning their teaching credentials.

The scariest potential abuses of this system both involve people who’d purposefully and knowingly break the rules the school set around this spying system.  Imagine if one of the administrators of the spyware was a closet pedophile or simply thought one of the students was much more mature than his or her years.  Students probably had their laptops sitting on their desks and undressed in front of them fairly often; after all, normal people don’t think their laptop is going to spy on them, so why bother turning it off or closing it before getting ready for bed.  Even worse is the thought that some student or malicious outsider (the classic media definition of ‘hacker’) found out that LMSD had this software installed and was able to break into the spyware system and use it at will.  These are merely suppositions, worse-case scenarios, but they are some of the factors that LMSD should have thought of before implementing spyware on student laptops.  A system such that has this much potential for abuse should have a similarly appropriate level of tracking, alerting and logging to prevent the curious and malicious from doing unethical, illegal and immoral.  Don’t be surprised if at some point in the near future pictures of LMSD students start showing up on the Internet.

The good news is that in addition to the civil suit the Lower Merion School District has been hit with, the FBI has started an investigation into the allegations of wrong doing.  The lawsuit alone is going to cost LMSD more than losing every last laptop would have, possibly by several orders of magnitude.  The business decision to track the laptops therefore turns out to be an utter failure.  Hopefully the FBI will be able to poke around the LMSD systems deeply enough that they’ll find any abuse of the system or confirm the districts assertion that the system was only used 42 times.  This is where all the logging capabilities of the spyware will be tested and the software vendor should expect a subpoena and visit from the FBI soon.  My suggestion to the FBI would be to pay special attention to any system administrator or school official that has had their computer recently re-imaged; while not proof of guilt, given the severity of the potential crimes that could be committed with the schools spyware, it’d be worth sending out the hard drives for recovery of the previous file system.
I truly hope that the FBI finds that the LMSD number of 42 times the spyware was used is accurate.  That would mean that most of my worst case scenarios haven’t happened.  But I suspect that even if the system wasn’t purposefully abused, 42 only represents the number of times that the spyware was used while going through the proper processes and procedures at the school district; it might have been used or abused many more times by the people who had access to it by design or by flaw.  And even if 42 is accurate, it will be up to a jury to decide if each of those uses were justifiable and legal.  In a civil court it’s going to be much harder for the school district to defend itself than it will be when the criminal charges are brought against the people responsible for the installation of the spyware.  And I’m confident that at least one person will be brought up on charges unless the whole school district is run and managed by people who are perfect angels.  Given that the system has already been abused, I’m pretty sure that supposition has been disproven.

I’m a parent of two pre-teen boys.  I probably wouldn’t have accepted a laptop from the school for either of them personally; I have more than enough computing power at home that I don’t need to bring someone else’s computer into the house.  And if this had happened in my school district, I’d be screaming for blood.  The school administrators who instigated and ran this program need to lose their jobs; they obviously don’t have enough of a moral compass to understand the difference between right and wrong and have no right to be working with children and teaching the next generation.  That may sound harsh, but these are people who thought that the security and safety of a few laptops was more important than the privacy and safety of the students who were using the same laptops.  A piece of hardware may be expensive, but it’s infinitely less important than my children and the children who live in the Lower Merion School District.  The inability to see that fact is proof of their utter lack of suitability to be working with children in the first place.

It may be that we find out that the spyware LMSD installed was never abused and that every instance of it’s use was justifiable.  But the installation and use of the system in the first place without notifying the parents and students was a utter and complete violation of these families civil liberties and right to privacy, not to mention the administrator’s ethical responsibility.  It shows that the school district placed more value on the laptops than the Constitutional rights of these families.  I find that unacceptable and hope that between the civil suit and the FBI investigation a strong message is sent to schools around the country that this sort of spying on students is not and never will be acceptable in any way, shape or form.  I hate to think about what I’d do if I ever found out my sons’ school district was spying on them in this way; there’s a reason I earned the nickname “Captain Privacy”. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

Nov 04 2009

I’ll do anything! Absolutely anything!

Published by under Family,General,PCI

I love my children, I really do.  Especially when they remind me of some of the life lessons I learned long ago but have forgotten from my conscious mind.  And even more importantly when those life lessons are the same lessons that can be applied to the job I do on a daily basis.  Let me tell you a short story and how that relates to security in general and PCI specifically.

As we all know, Halloween was only a few days ago and many of us have large bowls filled with candy sitting around the house.  My house is no different and like many other parents, we’ve tried limiting the intake of candy by our kids to dessert and perhaps one or two pieces of candy throughout the day.  Today was no exception, so when my children asked if they could have dessert, I told them they could have one piece of candy each.  My eldest son thought this was fine, but my youngest son spent a fair amount of time rooting around his bowl and when I finally told him it was time to make a decision, the look he gave me told me something was up.  I had him open his hand and show me what was in it; not surprisingly, he’d tried to hide a second piece of hard candy in his hand, hoping I wouldn’t catch it and he’d get two pieces of candy.  Big no-no.

I was in a fairly understanding mood, so I simply took the second took the second piece of candy away and told him he could have the first piece of candy he’d picked.  He gave me the puppy dog eyes, which I ignored and told him that he’d made his choice and had to live with it.  Rather than eat that piece of candy, he said it wasn’t what he wanted threw it back in the bowl and walked away.  A few minutes went by, we told the boys to go brush their teeth and go to bed.  Cue the histrionics!

The screams went along the lines of “I’m not going to bed without dessert!” and “I’ll do anything for dessert!  Absolutely anything!”  Which was met with “You had your chance, you made your choice, now it’s too late.”  He screamed, he cried, he screamed some more.  But Daddy can be an immovable object when his mind is set, and a tired eight year old is going to bed whether he wills it or not, so Daddy won the argument.  We’ll see if he’s learned his lesson for tomorrow night’s desert.

How does this relate to security?  Often, at least from our point of view, management is much like a spoiled eight year old who wants what they want, when they want it and the consequences be damned!  As an assessor, I hear companies tell me about a date they have to be compliant by and they’ll do absolutely anything to meet with that date.  But when you start telling them what’s going to be required to be complaint, you start hearing all the excuses as to why particular pieces are impossible, can’t we just assess on what they will be doing in the future or ignore that part of the requirements since they’ll be doing it “really soon”.    I have about as much sympathy for them as I do for my son; I’m not the one who’s missing dessert, so he can either do what he’s supposed to or miss out on his sweets.

The cry of “I’ll do anything!” only lasts until it’s time to actually do something all to often.  I use compliance as an example, but this is just a big a problem in the rest of security.  Management sees another company in their market get compromised and says they’ll do anything to avoid the same fate.  Of course, ‘anything’ only lasts until they see the actual manpower and budgetary numbers that would be required to secure the company from the same fate that befell the the competitor.  And they get extra sensitive when told that the numbers you gave them will only protect them from the vulnerability du jour and additional resources will be required to become what you’d consider reasonably secure.

PCI is much the same way.  Business think they can get away with half-way measures that almost, sort of meet with the PCI requirements, but when a QSA comes in and says, “Let me see what’s in your other hand.”, the crying begins.  “I’ll do anything to be compliant!”  Well, start by writing policies that meet the minimum standards.  “Anything but that!”  Configure your firewalls so they aren’t swiss cheese allowing almost anything any “Well, anything but those two things!”  Implement a log manager.  “Anything but …” You get the picture; the definition of anything quickly narrows from the dictionary definition of ‘anything’ to ‘the absolute minimum I can get away with’.  It’s human nature to try to get as much as possible with as little effort as possible, whether your a mega-corporation or a eight year old.

PCI isn’t difficult, it’s a pretty minimum baseline for securing your company.  Risk vs compliance arguments aside, most of the things in PCI are measures the vast majority of businesses should be doing to establish a secure infrastructure that’s capable of keeping the bad guys out or detecting when they do get in.  The people who are screaming because it’s too hard are the same people who probably wouldn’t be giving the security and IT teams the resources needed to secure the enterprise in the first place.  And much like an eight year old they’d rather scream and cry after the fact than plan ahead, follow the rules and do the right thing in the first place.

You can’t send a corporation to bed without dessert and you can’t leave them unprotected.  Just like parenting, you have to do your best and hope that it’s the right thing.  Businesses are going to be much better served by trying to look ahead at what needs to done and how to do it effectively and efficiently rather than waiting until the last minute.  It’s a mark of maturity that many businesses may never show.  And again, just like a parent, it’s our job as security professionals to try to teach the businesses we work for how to plan ahead rather than screaming “I’ll do anything” when it’s already too late.

I think it’s time for me to go raid the candy bowl.  Unless my wife says it’s already too late.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

« Prev - Next »